Skip to main content

AcyMailing CVE-2026-56292

| EUVDEUVD-2026-42591 CRITICAL
SQL Injection (CWE-89)
2026-07-09 Joomla GHSA-3m45-8387-4837
9.2
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Network-reachable, unauthenticated SQLi (AV:N/PR:N/UI:N) with primarily data-disclosure impact (C:H) and limited integrity/availability effect; scope kept unchanged absent evidence of cross-system impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 14:45 vuln.today
CVE Published
Jul 09, 2026 - 13:49 cve.org
CRITICAL 9.2

DescriptionCVE.org

A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.

AnalysisAI

SQL injection in the AcyMailing newsletter/email-marketing extension for Joomla (all versions before 10.11.1) allows remote attackers to inject crafted database queries, resulting in unauthorized database access and data leakage. The high CVSS 4.0 score (9.2) reflects unauthenticated network reach and high confidentiality impact against the Joomla back-end database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Joomla site running AcyMailing
Delivery
Send crafted request to vulnerable parameter
Exploit
Inject malicious SQL into query
Execution
Bypass query logic and read database
Impact
Exfiltrate subscriber and Joomla user data

Vulnerability AssessmentAI

Exploitation The vulnerability is remotely reachable over the network without authentication (AV:N/PR:N/UI:N) against Joomla sites running AcyMailing versions before 10.11.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately consistent toward high priority but with gaps. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to a vulnerable AcyMailing endpoint on a Joomla site, embedding malicious SQL in a parameter that is concatenated into a database query. Because the vector is network-based and requires no authentication (PR:N), the attacker extracts subscriber data, Joomla user records, or session/credential material from the shared database. …
Remediation Vendor-released patch: AcyMailing 10.11.1 - upgrade the extension to 10.11.1 or later, which resolves the SQL injection. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Joomla instances running AcyMailing versions prior to 10.11.1; disable the extension on systems unable to patch immediately; enable database query logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy